Back in 1995 the junior high school students around the world were taken in by a sensationalized and carefully marketed hoax film called Alien Autopsy. Alien Autopsy was in fact a cheap film purporting to be actual footage of an actual autopsy of the cadaver of an extraterrestrial. The film was marketed as footage shot during the famous 1947 Roswell incident.

Alien Autopsy photo by jurvetson.

Well, back in 1995 I was in a mood for a good laugh so I popped up some popcorn, chilled a six-pack of Mountain Dew and kicked up my feet for a little silly entertainment. A couple of friends came over just in time for the show. So, I popped more popcorn, chilled more drinks and we all had a great time giggling, guffawing, and generally acting like a bunch of nitwits having some good clean fun.

Then in 2005, my wife asked if I could sit down with her to watch something called Grey’s Anatomy. Thinking that I was about to relive a guilty pleasure from ten years before, I readily agreed. Let’s face it, a show called Grey’s Anatomy could only be a sequel to the 1995 Alien Autopsy.

Well, having been fooled, I shared my mistake and agony with the guys at work the next day. To say the least, they were amused at the story but entirely at my expense. Some mistakes in life should just never be mentioned again.

I hope that is not the case with today’s comments. Today, I’d like to encourage you all to down load and read my paper on the History of Digital Forensics (.pdf caveat applies). It is based on a paper I presented at NIST’s annual digital forensics conference. However, since the slides from briefings do not read well, I converted the presentation to prose. Dissect it as you think appropriate. That is to say, let me know what you think.

• Digital Forensics: Who should make the keys?
• Ed Bellis’s Little SCAP Project
• Database Activity Monitoring for the Government
• Security Automation Developers Conference Slides
• Barcode Hacking

It’s a sad tale we all know too well:  our poor CISOs are tied down with red tape while the attackers have all the time in the world.  My only regret is that the hakker kitteh isn’t a siamese.  =)

• LOLCATS Take on Catalog of Controls
• Lolcats Protect the End Users
• Noms and IKANHAZFIZMA
• LOLCATS Take on MS08-67
• Lolcats, Capital Hill, and a Haiku

Rybolov really struck a note with me (as he usually does) with his blog entry with his decision that S.3474 was a bad thing. It reminds me of a conversation I had with a friend recently. Basically she ask me why bad thing happen even after smart people put their heads together and try to deal with the problem before facing a crisis. Intrigued with her question, I asked her what specifically she was asking about. She shared that she had been thinking about the tragedy of the Titanic sinking.

Of course she was referring to the sinking of the passenger ship RMS Titanic on the evening of 14 April 1912. She made two points, first that the experts declared that the ship was “unsinkable” – how could they be so wrong. Second, she wondered how the ship could be so poorly equipped with boats and safety equipment such that there was such great loss of life.

The Titanic’s Disaster photo by bobster1985.

Little did she know that I have had an odd fascination with the Titanic disaster since childhood and have basically read much of the common public material about the event. So, I replied that that no expert had ever declared her unsinkable, that it was basically something that was made up by the press and the dark spineless things that hang around the press. However, I added the designers and owners of the ship had made much of her advanced safety features when she was launched. A critical feature was including water-tight bulkheads in her design. This was something of an advanced and novel feature at the time. What it meant was that you could poke a pretty big hole in the ship, and as long as the whole was not spread over several of these water-tight compartments she would stay afloat. The problem was that the iceberg that she hit (the Titanic, not my friend), ignored all of this a tore a big gash along about a third of the length of the ship.

So, my friend pressed again about the lack of safety equipment, especially lifeboats. I told her that the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind. Those regulations indicated that all passenger ships over 10,000 tons required 16 life boats, and that’s how many the Titanic had. At the time the regulations were written there were hardly any ships over 10,000 tons in size. However, when Titanic was launched she was designed to be over 50,000 tons when fully loaded. The fact was that if each of these lifeboats was fully loaded they could barely hold half of the of the passengers and crew of the ship if fully loaded. What is worse, when the ship did sink, not all of the boats were usable because of speed and angle in which the ship began sinking.

So, the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.

This is where I see the parallels between root causes of the Titanic disaster and the odd situation we find ourselves in today in terms of IT security. Security by checklist –especially out of date checklists—simply doesn’t work. Moreover, the entire mental framework that mixes up accounting practices and thoughts with security discipline and research is an utter failure. Audits only uncover the most egregious security failures. And, they uncover them at a point in time. The result is that audits can be gamed, and even ignored. On the other hand, formal reviews by experienced security professionals are rarely ignored. Sometimes not all of the resources are available to militate against some of the vulnerabilities pointed out by the professionals. And sometimes there is debate about the validity of specific observations made by security professionals. But, they are rarely ignored.

Interesting enough, because of the mixed IT security record of many government agencies, Congress is proposing – more audits! It seems to me what they should be considering is strengthening the management of IT security and moving from security audits often performed by unqualified individuals and teams toward security assessments conducted by security professionals. And since professionals are conducting these proposed assessments, they should be required to comment on the seriousness of deficiencies and possible mitigation actions. An additional assessment that the professionals should be required to report on is the adequacy of funding, staffing and higher management support. I don’t really see any point in giving a security program a failing grade if the existing program is well managed but subverted and underfunded by the department’s leadership.

• FedRAMP: It’s Here but Not Yet Here
• In Other News, I’m Saying “Nyet” on S.3474
• GAO’s 5 Steps to “Fix” FISMA
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• “Machines Don’t Cause Risk, People Do!”

Not that I’m creative enough to come up with this, the guilty parties behind the werds are shrdlu and danphilpott.

• Exhaustive Security Testing is Bad For You
• More Security Controls You Won’t See in 800-53: Now in LOLCAT Form!
• The Authorizing Official and the Lolcat
• IKANHAZFIZMA Does Awareness Training
• Legacy Systems: Where the Catalog Falls Apart and LOLCATS Roam

What do you get when you have too many observers and not enough doers? You get the current state of oversight in the Government’s IT security implementation.  With the focus supposedly switching from building projects to continuous monitoring, it leaves a question lingering in the back of my mind: are the auditors going to switch to near-real-time observation?

Hence, the age-old cybersecurity question:

• Legacy Systems: Where the Catalog Falls Apart and LOLCATS Roam
• Lolcats take on Laws, Sausage, Cyberwhatzits, and PCI
• Desperately Seeking a Cybersecurity Czar^wCoordinator
• Beware the Audit Hammer
• Auditors and LULZ

I love transition time.  We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole.  And then, they all leave.

Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk.  Talk is cheap, security is not.

Many years ago when I became an infantryman, our guest speaker at graduation made one of the most profound statements that I remember over 8 years later: “Infantrymen vote with their feet”. In other words, we’re doers, not talkers, and at one point in our lives we decided that something was important enough to give up 4 years of our lives, maybe more, for this cause.  Even Colonel Davy Crockett after he lost re-election to the House of Representatives wrote “I told the people of my district that I would serve them as faithfully as I had done; but if not … you may all go to hell, and I will go to Texas.”  He died less than 3 years later at the Alamo.  That, ladies and gentlemen, is how you vote with your feet.

My personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from.  If you think about everything we’ve done to date, it’s almost always a way of compensating for our lack of skilled people:

• Reducing security to a bunch of checklists
• Providing templates to non-security staff
• Automation wherever possible
• “Importing” non-security specialists such as accountants and technical writers in security roles
• Building a “Franchise Kit” upon which to base a security program
• Reserving key decisions for trained security staff

As an industry, we have failed (at least in the public sector) at generating people with the skills to do the job.

And in light of this, my challenge to you:  have a good idea and think you know how to solve the information security?  Yes, we need those, but what we really need are IT security infantrymen who are willing to be doers instead of talkers.  To answer the title of my blog post, the thing that the Government is missing is you.

Infantry Action Photo by Army.mil

So how can you help?  I know moving to DC is a bit of a stretch for most of you to do.  This is a short list of ideas what you can do:

• Learn how the Government secures systems: don’t just dismiss outright what people in DC are doing because conventional wisdom says that it is failing miserably, and don’t listen to people who do the same.
• Actively recruitment of techies to “embrace the dark side” and become security people:  We need more technically-savvy security people.
• Answer the call from DHS when it comes: living in DC is isolating from the rest of the world and all fo the good ideas that are out there.  Maybe you have a phenomenal microstrategy on how to secure IT.  They/we need to know them.  The Government cannot succeed at securing cyberspace (whatever your interpretation of that phrase means) without input from the private sector.
• Don’t engage the Government only when there’s money in it for you. ~$8B is a ton of money, but if you’re doing your job right as a vendor, you’re solving their problems as a first priority, not a second.
• Build a better education system for security staff and make better career paths to get people from the technical disciplines into security.

• Inside the Obama Administration’s Cyber Security Agenda
• Now ISC2 Blogs have an Opinion on FISMA
• In Other News, I’m Saying “Nyet” on S.3474
• Cyber Security coming to a boil
• A Step Inside the Guerilla CISO’s Mind